d18b1b9472e9adad52cdf260422fa4886307f41a4d20ed691f4c11bc375c9022

General

Target

反p2p终结者2012 增强绿色版/反p2p终结者2012增强版.exe
Size

62.6MB
MD5

5e6b1c5a450caebbc8a8e9cbd3f37723
SHA1

fe86b4566340b18fb61c4e6e89c8be94ec6fff00
SHA256

f73b0f38bd675deb45bdf2e0f15cf8b5729d5ef1f1c872da520f282ef3412170
SHA512

7a50a07004e48fe109aad99facaaa295aece2453db759d5ad5887e988693ebbca8e268a1aa53efa7259ffeea8574a6f926f8f87eef12273cd0182df2c8d5cb04
SSDEEP

24576:tXvrMJvSqd8nqX9vH84VT7YLlbDPU16duTPTKWJ/wQ0e:tYJKLnKCDPU8c7KWJE

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10015828-A707-22d2-9CBD-0000F87A469H}\StubPath = "C:\\Program Files\\Common Files\\Microsoft Shared\\bbs\\bbs\\bbs.exe"	反p2p终结者2012增强版.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10015828-A707-22d2-9CBD-0000F87A469H}	反p2p终结者2012增强版.exe

Executes dropped EXE 1 IoCs

pid	Process
1104	forumdisp.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	反p2p终结者2012增强版.exe
2824	反p2p终结者2012增强版.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\forumdisp.exe	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\xinzhu.txt	反p2p终结者2012增强版.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\bbs\bbs\bbs.exe	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\kkk.txt	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEFILES5.INI	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\a2.txt	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\bbs\bbs\bbs.exe	反p2p终结者2012增强版.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\bbs\	反p2p终结者2012增强版.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\bbs\bbs	反p2p终结者2012增强版.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared	反p2p终结者2012增强版.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ntfs.bat	反p2p终结者2012增强版.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2824	反p2p终结者2012增强版.exe
2824	反p2p终结者2012增强版.exe
2824	反p2p终结者2012增强版.exe
2824	反p2p终结者2012增强版.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1104	2824	反p2p终结者2012增强版.exe	21
PID 2824 wrote to memory of 1104	2824	反p2p终结者2012增强版.exe	21
PID 2824 wrote to memory of 1104	2824	反p2p终结者2012增强版.exe	21
PID 2824 wrote to memory of 1104	2824	反p2p终结者2012增强版.exe	21
PID 2824 wrote to memory of 2712	2824	反p2p终结者2012增强版.exe	29
PID 2824 wrote to memory of 2712	2824	反p2p终结者2012增强版.exe	29
PID 2824 wrote to memory of 2712	2824	反p2p终结者2012增强版.exe	29
PID 2824 wrote to memory of 2712	2824	反p2p终结者2012增强版.exe	29
PID 2712 wrote to memory of 2548	2712	cmd.exe	31
PID 2712 wrote to memory of 2548	2712	cmd.exe	31
PID 2712 wrote to memory of 2548	2712	cmd.exe	31
PID 2712 wrote to memory of 2548	2712	cmd.exe	31
PID 2712 wrote to memory of 2836	2712	cmd.exe	32
PID 2712 wrote to memory of 2836	2712	cmd.exe	32
PID 2712 wrote to memory of 2836	2712	cmd.exe	32
PID 2712 wrote to memory of 2836	2712	cmd.exe	32

C:\Program Files\forumdisp.exe
"C:\Program Files\forumdisp.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Users\Admin\AppData\Local\Temp\反p2p终结者2012 增强绿色版\反p2p终结者2012增强版.exe
"C:\Users\Admin\AppData\Local\Temp\反p2p终结者2012 增强绿色版\反p2p终结者2012增强版.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSInfo\ntfs.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\bbs\bbs /d everyone /e
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Common Files\Microsoft Shared\bbs" /d everyone /e
    3⤵
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\forumdisp.exe

Filesize
4KB

MD5
b44c83aaaf9e52252f0340785c772faa

SHA1
38026ca434497b3f08464ae1d46091089ad2b564

SHA256
9789a949da0e8c27ddfa08f7ef2f5c0cbb0efad12260bd4c43b7eba87c3e5b04

SHA512
5201d560c037f474201d43bd9bf5aa8dd654d7767bba65407277e7643d37d1fe8425977d911f420e8c40d16c9eefb4cdbdef07f872480492b8a9c9a9015a9a98

Download Submit
C:\Program Files\forumdisp.exe

Filesize
48KB

MD5
5f389284162d3a98eae873fbb87704c8

SHA1
48acf6ca71c54eb6080bb66a8380c335184ba685

SHA256
6608e72a9c22d52f6551d49e5efe234a8341f5cea3756dfec3aa95427f878cc2

SHA512
1c21c05550f1ebb670fe5893d00c82c6220ad9bc197e64b132683793cceedff8cf918ff6b9a3815437e43fb63bc730f633eb03dbd0652c11410847b589b40cc8

Download Submit
\Program Files\forumdisp.exe

Filesize
27KB

MD5
e703257bf8e6ef9b71549b7c6ddb0d4e

SHA1
62da16cfa2b19aa763dceca75d31d8928bae9d8f

SHA256
af39a29252f1a8d4a9fbc7b6412eebea5b458e57ec64b4c3d1c3e17e3aeda3ef

SHA512
1977d630c78da48098110d30f6a614cf1745c474951db1adbea062d65ab45032bc31b3ddae55a0f5bc9c2fef88906b53c677edc3de98c6d48d87a52721da2ed6

Download Submit
\Program Files\forumdisp.exe

Filesize
5KB

MD5
aad8577d05092d52367d2b03d2cd1ce4

SHA1
699c724d1937d0639df30dfb16d6e4efe92eedf5

SHA256
23461bfd949a4c7f3c719427ea41512438d43681f324d74b9530a2ffac5d0a85

SHA512
071be026b8e5af07fc3feb8964a39a12bc496f0bdf1b2abf9acd333fb802cebc1db8160499b906a3ffc3ffffd1b3f308b28c17c64fd5b9a903aaa0ebe6154acd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads